±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36434
New Yesterday: 2 Visitors: 74

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

E01 Image format / tools

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

JimC
Senior Member
 

E01 Image format / tools

Post Posted: Nov 22, 19 18:05

Please can I ask:

Are there any tools that can produce E01 images in reverse sector order? I had assumed XWF could do this but upon investigation I found it was only supported for raw "dd" images.

Jim

www.binarymarkup.com  
 
  

AmNe5iA
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 24, 19 14:55

Just use XWays to do it to DD then convert to e01. e01 isn't AFF4. the e01 format can't deal with out of order sector imaging so you won't get any tool to read in reverse and create a e01 directly  
 
  

athulin
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 24, 19 19:57

- JimC
Are there any tools that can produce E01 images in reverse sector order? I had assumed XWF could do this but upon investigation I found it was only supported for raw "dd" images.


Before you do anything like that ... you need to ensure that that 'image' will never be treated or interpreted as an image taken from evidence disk drives. You may need to prepare the ground for that in some way, to ensure that if the question ever arises later if that image is a 'real image', the answer is emphatically 'no', even if you are not involved in answering that question.

(This probably means, at least, ensuring that the e01 header case information clearly says what has been done to it, but should probably be documented 'in writing' as well, along with some way of identifying the raw data, i.e. without relying on header information being correctly retained.)

Very, very few analysts would even consider the possibility that an e01 image isn't an image, but a constructed/manipulated image. This lays the foundation for the possibility of bad misinterpretation of evidence.

I think it would be safer to choose an image format that does not carry the same 'default interpretation overload' as e01 does, if possible.  
 
  

jaclaz
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 25, 19 09:11

@athulin
Do you mean that there is actually any use for an image with sectors in reverse order? Question

I thought that the point was acquiring in reverse order (this helps in some cases of data recovery) but the resultng image is "normal". Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JimC
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 25, 19 10:37

- AmNe5iA
Just use XWays to do it to DD then convert to e01. e01 isn't AFF4. the e01 format can't deal with out of order sector imaging so you won't get any tool to read in reverse and create a e01 directly


I appreciate this suggestion but agree with @athulin. This would mean that the final image was not a direct image and could thus be questioned. However, it is sometimes necessary to create a backwards image if the source disk is too damaged. In this case, it can be necessary to create a "dd" image in several stages to recover as much as possible. The option to do this backwards can help.

I have now read the spec for E01 in more detail and it seems implicit that:

1. The image starts at sector zero - You can create an image of either a physical disk or a single partition but the image itself doesn't record the starting sector.

2. It is implicit that the E01 data chunks are stored in ascending order - Although there is a little wriggle room here because although the "tables" section assumes the data chunks are in ascending order they can actually be stored out of order in the "sectors" section (used by more recent imaging tools)

3. The data chunks each represent a fixed sized (typically 32KB) and, whilst they can be compressed, they must all be present. e.g. The E01 format doesn't seem to support any kind of 'sparse' storage. This seems like a huge oversight since many drives will contain a significant amount of unused storage.

I think this "wriggle room" could be used to create a backwards image but would be limited in practice because the E01 file is typically split into segments (e.g. 2GB or 4GB) and each segment has the same assumption that it contains data chunks in ascending order.

Could any E01 experts confirm if this analysis is correct?

Jim

www.binarymarkup.com  
 
  

Passmark
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 26, 19 00:19

Surely it is easier to just use a DD raw image for the whole project?
Why do the conversion at all?

There is a very narrow set of disk errors that reverse reading will help with and this set is getting smaller and smaller with modern drives.

And what is meant by a reverse read depends on the tool. I think some that do reverse reading actually read most of the disk in the normal order and only try reverse reading on bad sectors. So 99.9% of the disk is read in the normal order. Thus there is no technical reason E01 output couldn't be directly used (with the right tool). Data is put back into its correct order in RAM, then written out as a E01.

And for the novices, the disk doesn't spin backwards for a reverse read. Nor are the bytes within a sector read backwards. It just means you read the sectors out of order.

If you did convert the DD image to E01 via post processing it should be fairly trivial to check volume hashes to make sure the data is the same before and after conversion. There is no reason to think format conversion would corrupt the evidence. I'd be much more concerned about the corrupt source drive messing up the evidence. Especially if the tool did something like disable CRC checking on the source drive.  
 
  

jaclaz
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 26, 19 09:23

- Passmark

There is a very narrow set of disk errors that reverse reading will help with and this set is getting smaller and smaller with modern drives.

And what is meant by a reverse read depends on the tool. I think some that do reverse reading actually read most of the disk in the normal order and only try reverse reading on bad sectors. So 99.9% of the disk is read in the normal order.

Well said. Smile

- Passmark
There is no reason to think format conversion would corrupt the evidence. I'd be much more concerned about the corrupt source drive messing up the evidence. Especially if the tool did something like disable CRC checking on the source drive.

Even better said. Very Happy

I would add that (at an "atomic" level) you could well (in theory) create out of - say - a 500 GB disk, consisting of almost 1,000,000,000 sectors, a same 1,000,000,000 files, one per each sector, and re-assemble these sectors in the correct order into a dd-image.
As long as the hash of each sector/file are correct and you re-assemble the image in the correct order, there is no messing with the evidence.
In practice, it would be a hell of a log to check. Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next